bgpd: Fix use-after-free for ORF case

ton31337 · mergify[bot] · commit 34515ea68f54 · 2026-05-27T18:44:14.000Z
This is similar to ffff1a1, and 3d43d7b. Just mirror and use the same pattern to avoid dangling pointers for orf_plist. ==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x508000037638 at pc 0x7f4daf26dae3 bp 0x7fffb1118f40 sp 0x7fffb1118f30 READ of size 4 at 0x508000037638 thread T0 0 0x7f4daf26dae2 in prefix_list_apply_ext lib/plist.c:789 1 0x55b2c256c487 in subgroup_announce_check bgpd/bgp_route.c:2561 2 0x55b2c2574867 in subgroup_process_announce_selected bgpd/bgp_route.c:3720 3 0x55b2c267fd30 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:853 4 0x55b2c2680174 in subgroup_announce_route bgpd/bgp_updgrp_adv.c:909 5 0x55b2c2672d25 in peer_af_announce_route bgpd/bgp_updgrp.c:2296 6 0x55b2c2537780 in bgp_announce_route_timer_expired bgpd/bgp_route.c:6650 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) 0x508000037638 is located 24 bytes inside of 88-byte region [0x508000037620,0x508000037678) freed by thread T0 here: 0 0x7f4dafde24d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 1 0x7f4daf1a6060 in qfree lib/memory.c:136 2 0x7f4daf26b1b7 in prefix_list_free lib/plist.c:156 3 0x7f4daf26b1b7 in prefix_list_delete lib/plist.c:247 4 0x7f4daf2714c2 in prefix_bgp_orf_remove_all lib/plist.c:1518 5 0x55b2c24f910d in bgp_route_refresh_receive bgpd/bgp_packet.c:2977 6 0x55b2c250809a in bgp_process_packet bgpd/bgp_packet.c:4167 7 0x7f4daf33e06f in event_call lib/event.c:2740 8 0x7f4daf159f39 in frr_run lib/libfrr.c:1258 9 0x55b2c229e612 in main bgpd/bgp_main.c:549 10 0x7f4dad6fa1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb) Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> (cherry picked from commit 6ae21da)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
@@ -3001,12 +3001,9 @@ static int bgp_route_refresh_receive(struct peer_connection *connection,
 
 	paf = peer_af_find(peer, afi, safi);
 	if (paf && paf->subgroup) {
-		if (peer->orf_plist[afi][safi]) {
-			updgrp = PAF_UPDGRP(paf);
-			updgrp_peer = UPDGRP_PEER(updgrp);
-			updgrp_peer->orf_plist[afi][safi] =
-				peer->orf_plist[afi][safi];
-		}
+		updgrp = PAF_UPDGRP(paf);
+		updgrp_peer = UPDGRP_PEER(updgrp);
+		updgrp_peer->orf_plist[afi][safi] = peer->orf_plist[afi][safi];
 
 		/* Avoid supressing duplicate routes later
 		 * when processing in subgroup_announce_table().
